[strongSwan] Troubles with connection from Win 7 client (l2tp/ipsec-cert, ikev2-machine_cert, ikev2-eap_mschapv2) !
CpServiceSPb .
cpservicespb at gmail.com
Sat Sep 20 23:53:57 CEST 2014
I have Xl2tpd and Strongswan 5.1.2 installed at Ubuntu 14.04 LTS as Vpn
servers and Win XP/ Win 7 clients (most of them are behind NAT) . Server is
not behind NAT.
I set up 3 connection' s types: l2tp/psk, l2tp/ipsec (cert) and ikev2.
Connection of l2tp/psk is successfull both as for Win XP and for win 7.
Connection of l2tp/ipsec (cert) is successfull for Win XP only.
But connections of l2tp/ipsec (cert) and ikev2 doesn' t work for Win 7.
There are interactive logging (made at ipsec --nofork mode) while Win 7
connects to and ipsec.conf for l2tp/ipsec (cert) and for two types of ikev2
procedure.
There is external IP of strongswan server is used at Vpn connection
properties.
Server certificate (located at strongswan server) has FQDN and external IP
95.24.95.95 in subjectAltName and CN contents FQDN of strongswan server.
For L2tp/Ipsec with Certificate (Win 7) :
11[IKE] IKE_SA ikev1_l2tp_rsa[1] state change: CONNECTING => ESTABLISHED
11[IKE] DPD not supported by peer, disabled
11[IKE] sending end entity cert "C=RU, ST=North, L=City, O=Org, OU=Main, CN=
gate_name.mydomain.net, N=My Server certificate, E=admin at mydomain.net"
11[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
11[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1484 bytes)
15[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500]
(1900 bytes)
15[IKE] received retransmit of request with ID 0, retransmitting response
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1484 bytes)
11[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500]
(1900 bytes)
11[IKE] received retransmit of request with ID 0, retransmitting response
11[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1484 bytes)
12[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500]
(1900 bytes)
12[IKE] received retransmit of request with ID 0, retransmitting response
12[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1484 bytes)
For Ikev2 with machine sited certificate (Win 7) :
14[IKE] CHILD_SA ikev2_machine_cert{2} established with SPIs c8c7c4c5_i
333c9d8a_o and TS 0.0.0.0/0 === 10.10.1.2/32
14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS NBNS)
SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1660 bytes)
05[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500]
(2476 bytes)
05[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP)
CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
05[IKE] received retransmit of request with ID 1, retransmitting response
05[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1660 bytes)
14[IKE] retransmit 2 of request with message ID 0
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (76
bytes)
15[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500]
(2476 bytes)
15[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP)
CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
15[IKE] received retransmit of request with ID 1, retransmitting response
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1660 bytes)
13[IKE] retransmit 3 of request with message ID 0
13[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775] (76
bytes)
For Ikev2 with eap-mschap v2 and and certificate (Win 7) :
15[IKE] authentication of '95.24.95.95' (myself) with RSA signature
successful
15[IKE] sending end entity cert "C=RU, ST=North, L=City, O=Org, OU=Main, CN=
gate_name.mydomain.net, N=My Server certificate, E=admin at mydomain.net"
15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
15[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1516 bytes)
08[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500]
(1340 bytes)
08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS
NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
08[IKE] received retransmit of request with ID 1, retransmitting response
08[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1516 bytes)
14[NET] received packet: from 79.135.235.142[64775] to 95.24.95.95[4500]
(1340 bytes)
14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS
NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
14[IKE] received retransmit of request with ID 1, retransmitting response
14[NET] sending packet: from 95.24.95.95[4500] to 79.135.235.142[64775]
(1516 bytes)
Ipsec.conf:
conn %default
compress=yes
dpdaction=clear # tried dpdaction=restart
dpddelay=40
dpdtimeout=130
forceencaps=yes
ikelifetime=8h
keyingtries=10
keylife=10800
margintime=15m
conn l2tp_ipsec
auto=add
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev1
keyingtries=2
left=95.24.95.95
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftprotoport=udp/%any
mobike=no
rekey=no
right=%any
rightauth=pubkey (also tried rsa)
rightsendcert=never
rightsubnet=0.0.0.0/0
type=transport
conn ikev2_eap_mschapv2
auto=add
eap_identity=%any
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev2
left=95.24.95.95
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftsendcert = always
leftsubnet=0.0.0.0/0
mobike=yes
rekey=no
right=%any
rightauth=eap-mschapv2
rightsourceip=192.168.1.0/24
rightsendcert=never
conn ikev2_machine_cert
auto=add
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
keyexchange=ikev2
left=95.24.95.95
leftcert=/etc/ipsec.d/certs/server.crt
leftid=95.24.95.95
leftsendcert = always
leftsubnet=0.0.0.0/0
mobike=yes
rekey=no
right=%any
rightsourceip=192.168.1.0/24
rightsendcert=never
I think that some trouble is in some connection parameters for especially
Win 7, but I don' t suppose which ones.
Can somebody tell where is/are trouble/troubles ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140921/e2e31ca1/attachment.html>
More information about the Users
mailing list